How Magecart attackers monetize stolen payment card info

The Magecart campaign, aimed at compromising online shops with malicious JavaScript code to collects payment card info, is still going strong, and researchers have pinpointed another way threat actors behind it monetize the stolen information.

First spotted in October 2016 by RiskIQ and ClearSky researchers, Magecart mainly hits e-commerce sites running outdated and unpatched versions of shopping cart software from Magento, Powerfront, and OpenCart.

After gaining access to the web platforms, the attackers change the source code of the website to include the malicious script. The script loads from one of the many domains they set up to host it, and can hook web forms and access data form submissions.

The attackers are after payment card info, but also after any type of personal and financial information that could help them use the stolen information more effectively.

Earlier this year, Brian Krebs linked a stolen credit card shop called Trump’s-Dumps to several domains that serve malicious scripts used in the Magecart campaign, leading him to speculate that the criminals behind Trump’s Dumps are stealing credit card data to sell it on for both card-present and online fraud.

Re-shipping of fraudulently bought goods

RiskIQ researchers have been keeping an eye on the campaign since then, and have recently discovered a connection between these threat actors and a physical reshipping company operating with mules in the US.

The contact email address for one of the registered domains used to serve the malicious script has been used as contact information on a number of other compromised domains (an electronic cigarette store, a Hi-Fi goods merchant store, etc.).

But further digging also unearthed a domain (uslogisticexpress.com) that is currently online, but has been used throughout 2016 and pointed to a re-shipping company website masquerading as the website of a freight/logistics provider:

The researchers also found old adverts on Russian/American websites, in which that (fake) company was advertising jobs for US-based citizens.

“US-based citizens are recruited under the pretense of ‘transport agents,’ and receive shipments of electronics or other goods, which they are asked to ship to a different address in Eastern Europe,” the researchers explained.

“These electronics are bought with the credit cards stolen with Magecart during checkout at compromised online stores. It is similar in many ways to other forms of money mules, but rather than a direct transfer of funds, funds are transferred into higher priced goods, which may then be shipped across borders without suspicion.”

As the EMV standard (“chip and PIN”) is being slowly adopted by US retailers, criminals are increasingly opting for card-not-present fraud and re-shipping of goods acquired in this way.

“A lack of overall protection by many online stores and the level of ease by which criminals may gain access to vulnerable web applications leads to many successful fraud operations like Magecart, supporting our belief that attackers are currently scrambling to capitalize on these weak defenses before additional safeguards take effect,” the researchers concluded.